View previous topic :: View next topic |
Author |
Message |
sl70 Guru
Joined: 18 Jun 2002 Posts: 455 Location: Saitama, JP
|
Posted: Sun Jun 02, 2024 7:22 am Post subject: fail2ban runs but nothing gets stopped |
|
|
I set up fail2ban according to the wiki, copied /etc/fail2ban/jail.conf to jail.local, and made very basic edits -- just enabled the sshd jail.
Code: | diff jail.conf jail.local
274c274
< # [sshd]
---
> [sshd]
279,280c279,281
< #mode = normal
< # port = ssh
---
> # mode = normal
> enabled = true
> port = ssh
282a284
> # port = ssh |
That seems to work. No error messages, anyway.
Code: | 2024-06-02 12:18:10,904 fail2ban.server [21171]: INFO Starting Fail2ban v1.0.2
2024-06-02 12:18:10,904 fail2ban.server [21171]: INFO Daemon started
2024-06-02 12:18:10,905 fail2ban.observer [21171]: INFO Observer start...
2024-06-02 12:18:10,916 fail2ban.database [21171]: INFO Connected to fail2ban persistent database /var/lib/fail2ban/fail2ban.sqlite3'
2024-06-02 12:18:10,917 fail2ban.jail [21171]: INFO Creating new jail 'sshd'
2024-06-02 12:18:10,979 fail2ban.jail [21171]: INFO Jail 'sshd' uses poller {}
2024-06-02 12:18:10,979 fail2ban.jail [21171]: INFO Initiated 'polling' backend
2024-06-02 12:18:10,980 fail2ban.filter [21171]: INFO maxLines: 1
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO maxRetry: 5
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO findtime: 600
2024-06-02 12:18:10,990 fail2ban.actions [21171]: INFO banTime: 600
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO encoding: UTF-8
2024-06-02 12:18:10,991 fail2ban.jail [21171]: INFO Jail 'sshd' started
|
In spite of having this my logs are filled with messages like these:
Code: | Jun 2 16:06:53 musume sshd[22093]: User root from 120.79.78.58 not allowed because not listed in AllowUsers
Jun 2 16:06:53 musume sshd[22093]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.79.78.58 user=root
Jun 2 16:06:55 musume sshd[22093]: Failed password for invalid user root from 120.79.78.58 port 60244 ssh2
Jun 2 16:06:56 musume sshd[22093]: Connection closed by invalid user root 120.79.78.58 port 60244 [preauth]
|
And this:
Code: | fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
|
I depend on my router to keep unwanted connections out. I only have sshd running and open on a non-standard port. I also have not included root in the /etc/ssh/sshd_config AllowUsers list. But on some days I have more than 1000 unauthorized connection attempts. It annoys me. I would really like to stop these attempts before they start or at least right after they start. How can I get fail2bad to do what I expect it to? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sun Jun 02, 2024 10:18 am Post subject: |
|
|
I was too lazy to properly research Gentoo way to configure many services (I'm looking at you, apache2), so I just went with this (combined with ssh persistence and multiplexing):
Quote: | -A ssh -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh -j DROP |
1 IP can make 3 attempts in a row, then 1 more after every hour.
Basically, rate limit the whole internet, whether login succeeds or not. Also, nmap scans count towards this limit too.
This comes after rules accepting packets from connections that are already established and those coming in via a vpn, so I'm not going to accidentally lock myself out
Code: | cat /etc/ssh/ssh_config.d/multiplex.conf
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p.socket
ControlPersist 5m |
_________________ Make Computing Fun Again |
|
Back to top |
|
|
sl70 Guru
Joined: 18 Jun 2002 Posts: 455 Location: Saitama, JP
|
Posted: Mon Jun 03, 2024 3:22 am Post subject: |
|
|
Thanks for the help, but I'm afraid I don't understand this at all. The first quoted line looks like an ``iptables`` invocation but I don't know where it would go. Likewise for the second snippet of code. I don't have a /etc/ssh_config.d directory or a mulitplex.conf file. I'm afraid I need more basic help. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Mon Jun 03, 2024 9:10 am Post subject: |
|
|
Those are NOT a part of f2b; it's my replacement for f2b. Legitimate users start _fewer_ connections that attackers, so it's OK to temporarily ban them too, which is why:
I added a generic iptables rule for rate limiting clients (which should mostly work with the way ssh is typically used) + ssh config for the client, which makes subsequent sessions avoid rate limits.
With this confusion sorted, you should be able to modify your server's firewall and client's ssh configs, it's not that difficult.
If you're OK with using something else than F2B of course. _________________ Make Computing Fun Again |
|
Back to top |
|
|
phanxen n00b
Joined: 02 Jan 2022 Posts: 11 Location: Jugoslavija
|
Posted: Tue Nov 05, 2024 7:02 pm Post subject: |
|
|
Today I found that fail2ban was not working in my system.
After some research I realized that the problem is the daemon name used in the configuration. In the file /etc/fail2ban/filter.d/sshd.conf I found the following line:
However, the messages in the system logs show that the SSH daemon is labeled sshd-session:
Code: | Nov 5 19:42:30 mygentoobox sshd-session[30602]: error: PAM: User not known to the underlying authentication module for illegal user matt from 1.2.3.4
Nov 5 19:42:30 mygentoobox sshd-session[30602]: Failed keyboard-interactive/pam for invalid user matt from 1.2.3.4 port 33257 ssh2
Nov 5 19:42:30 mygentoobox sshd-session[30602]: Connection closed by invalid user matt 1.2.3.4 port 33257 [preauth]
|
So, check if the daemon name is correct. Besides, for testing, you can use the following command line:
Code: | $ sudo fail2ban-regex /var/log/sshd/sshd.log /etc/fail2ban/filter.d/sshd.conf
|
On the other hand, I'm not sure if this is some kind of bug or not. I have checked the main branch of the official fail2ban GitHub account, and the daemon is also called sshd.
Best regards _________________ :.P.h.A.n.X.e.N.: |
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 473 Location: Naarm/Melbourne, Australia
|
|
Back to top |
|
|
freke Veteran
Joined: 23 Jan 2003 Posts: 1036 Location: Somewhere in Denmark
|
Posted: Sat Nov 09, 2024 12:45 pm Post subject: |
|
|
This works for me Code: | [sshd]
enabled = true
bantime = 2d
filter = sshd[mode=extra]
action = iptables-allports[name=sshd, protocol=tcp]
logpath = /var/log/messages
maxretry = 1
findtime = 1d |
Code: | Nov 9 13:42:34 ns sshd-session[12420]: Connection from 2a06:4002:9044:0:55f6:e8df:ea41:8629 port 50479 on 2a06:4002:9044::11 port 22 rdomain ""
Nov 9 13:42:34 ns sshd-session[12420]: Invalid user rooto from 2a06:4002:9044:0:55f6:e8df:ea41:8629 port 50479
Nov 9 13:42:35 ns fail2ban.filter[2066]: INFO [sshd] Ignore 2a06:4002:9044:0:55f6:e8df:ea41:8629 by ip
Nov 9 13:42:39 ns sshd-session[12420]: error: Received disconnect from 2a06:4002:9044:0:55f6:e8df:ea41:8629 port 50479:14: No supported authentication methods available [preauth]
Nov 9 13:42:39 ns sshd-session[12420]: Disconnected from invalid user rooto 2a06:4002:9044:0:55f6:e8df:ea41:8629 port 50479 [preauth]
Nov 9 13:42:39 ns sshd[2135]: srclimit_penalise: ipv6: new 2a06:4002:9044:0:55f6:e8df:ea41:8629/128 deferred penalty of 1 seconds for penalty: connections without attempting authentication
Nov 9 13:42:39 ns fail2ban.filter[2066]: INFO [sshd] Ignore 2a06:4002:9044:0:55f6:e8df:ea41:8629 by ip
Nov 9 13:42:39 ns fail2ban.filter[2066]: INFO [sshd] Ignore 2a06:4002:9044:0:55f6:e8df:ea41:8629 by ip |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|